server {
  server_name yourdomain.com;
  ...rest of server block

  if ($http_authorization ~ "^(.*)"){
    set $rule_0 1;
  }
  if ($rule_0 = "1"){
    set $http_authorization %1;
  }

}



location /api {
    proxy_http_version 1.1;

    if ($http_authorization != "Bearer 1234") {
        return 401;
    }

    proxy_pass http://app:3000/;
}



Here's the workaround I had to do in order to make this work:

Setup header rewrite inside http block, to make sure there's a space between the bearer word and the token:
map "$http_authorization" $authorization {
    ~*^bearer(\s*)(?<token>(.*))$ "bearer $token";
    default $http_authorization;
}
proxy from one location to another, one unauthenticated that rewrites the header, then proxy to another location that actually authenticates:
location ~ ... { 
 auth_jwt off;
 proxy_set_header Authorization $authorization;
 proxy_pass http://$upstream/reauthenticate/$request_uri;
}

location ~ /reauthenticate/(?<original_uri>(.*)){
  proxy_pass http://$upstream/$original_uri;
}

map $http_authorization $token {
    ~^Bearer\s+(?<bearer>[\S]+)$ $bearer;
}

server {
    ...
    location / {
        auth_request            /uaa;
        ...
    }
    location /uaa {
        internal;
        proxy_pass_request_body off;
        proxy_set_header        Authorization "Basic your_base64_auth_string";
        proxy_set_header        Content-Length "";
        proxy_pass              http://localhost:8080/check_token?token=$token;
    }
}
